Product documentation

Enrollment of Hybrid Entra ID joined non-persistent VMs into Microsoft Intune (Preview)

September 2, 2024
Contributed by: 
C

With this preview, you can now enroll Hybrid Entra ID joined non-persistent VMs into Microsoft Intune (with Configuration Manager) for co-management. This feature applies to single and multi-session non-persistent VMs and on all hypervisors and cloud services, ensuring uniform device management across your infrastructure. To avail the feature, the VDA version must be 2407 or later.

See Co-management and Create co-management enabled catalogs.

Note:

Since July 2023, Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. In this document, any reference to Hybrid Azure AD now refers to Microsoft Hybrid Entra ID.

Participate in Tech Preview

If you’re interested in participating in the Tech Preview, provide your contact information here.

Co-management

This article describes the requirements to create co-management enabled catalogs using Citrix DaaS in addition to the requirements outlined in the Citrix DaaS system requirements section.

Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. For more information, see Co-management. The devices must meet the minimum system requirements. For more information, see the Microsoft documentation supported operating systems and browsers in Intune.

Co-management works by using the functionality of Hybrid Azure AD.

Prerequisites

Before enabling this feature, verify that:

  • Your Azure environment meets the licensing requirements to use Microsoft Intune. For more information, see the Microsoft documentation.
  • You have a valid Configuration Manager deployment with co-management enabled. For more information, see the Microsoft documentation.

Requirements

  • Control plane: Citrix DaaS
  • VDA type: Single-session or multi-session
  • VDA version: 2407 or later
  • Provisioning type: Machine Creation Service (MCS), Non-persistent
  • Assignment type: Dedicated and pooled
  • Hosting platform: Any hypervisor or cloud service

Limitations

  • Do not skip image preparation while creating or updating machine catalogs.
  • Internet-based client management (IBCM) of Configuration Manager is not supported.

Considerations

  • Intune enrollment might be delayed if too many machines in the catalog are powered on simultaneously.

    Microsoft imposes a per-tenant Intune enrollment restriction that limits the number of devices that can be enrolled within a specific time frame. The allowable number of devices varies depending on the number of Microsoft Intune licenses associated with the tenant. Consult your Microsoft account team to find out the allowable limit for your tenant. This approach helps Microsoft Intune enrollment scale better for large environments.

    For non-persistent machines, consider limiting the concurrent power actions in either Autoscale or manual power actions.

  • Configure Cloud Attach of Configuration Manager. For more information, see the Microsoft documentation.
  • Manually install Configuration Manager client on the master VM without assigning the site code. For more information, see the Microsoft documentation.

  • MCS created machines use the automatic site assignment mechanism to find site boundary groups that are published to Active Directory Domain Services. Ensure that the boundaries and boundary groups of Configuration Manager are configured in your environment. If automatic site assignment is not available, a static Configuration Manager site code can be configured in the master VM through the following registry setting:

    Key:

     HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MachineIdentityServiceAgent\DeviceManagement
 <!--NeedCopy-->

    Value name: MdmSccmSiteCode

    Value type: String

    Value data: the site code to be assigned

Create co-management enabled catalogs

You can create co-management enabled catalogs using Citrix DaaS using:

Use Studio

The following information is a supplement to the guidance in Create machine catalogs.

In the Machine Catalog Setup wizard:

  • On the Machine Identities page, select Hybrid Azure Active Directory joined and then Enroll the machines in Microsoft Intune with Configuration Manager. Using this action, Configuration Manager and Microsoft Intune (that is, co-managed) manages the VMs.

Use PowerShell

The following are the PowerShell steps equivalent to operations in Studio.

To enroll machines in Microsoft Intune with Configuration Manager using the Remote PowerShell SDK, use the DeviceManagementType parameter in New-AcctIdentityPool. This feature requires that the catalog is Hybrid Azure AD joined and that Azure AD possesses the correct Microsoft Intune license.

The difference between Hybrid Azure AD joined catalogs and co-management enabled ones lies in the creation of the identity pool. For example:

New-AcctIdentityPool -AllowUnicode -DeviceManagementType "IntuneWithSCCM" IdentityType="HybridAzureAD" -IdentityPoolName "CoManagedCatalog" -NamingScheme "CoManaged-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->

Troubleshoot

If machines fail to enroll in Microsoft Intune or fail to reach co-management state, do the following:

  • Check Intune license

    Check if your Azure AD tenant is assigned with the appropriate Intune license. See Microsoft Intune licensing for license requirements of Microsoft Intune.

  • Check Hybrid Azure AD join status

    Check if the MCS-provisioned machines are Hybrid Azure AD joined. The machines are not eligible for co-management if not Hybrid Azure AD joined. See Troubleshoot to troubleshoot Hybrid Azure AD join issues.

  • Check co-management eligibility

    • Check if the MCS-provisioned machines are correctly assigned with the expected Configuration Manager site. To get the assigned site, run the following PowerShell command on the affected machines.

       (New-Object -ComObject "Microsoft.SMS.Client").GetAssignedSite()
 <!--NeedCopy-->

    • If no site is assigned to the VM, use the following command to check if the Configuration Manager site can be automatically discovered.

       (New-Object -ComObject "Microsoft.SMS.Client").AutoDiscoverSite()
 <!--NeedCopy-->

    • Ensure that boundaries and boundary groups are well configured in your Configuration Manager environment if no site code can be discovered. See Considerations for details.

    • Check C:\Windows\CCM\Logs\ClientLocation.log for any Configuration Manager client site assignment issues.

    • Check the co-management states of the machines. Open the Configuration Manager control panel on the affected machines and go to the General tab. The value of Co-management property must be Enabled. If not, check logs under C:\Windows\CCM\Logs\CoManagementHandler.log.

  • Check Intune enrollment

    Machines might fail to enroll in Microsoft Intune even if all prerequisites are satisfied. Check Windows event logs under Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider for Intune enrollment issues.

Enrollment of Hybrid Entra ID joined non-persistent VMs into Microsoft Intune (Preview)
September 2, 2024
Contributed by: 
C
September 2, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.